Escaping the Fuzz - Evaluating Fuzzing Techniques and Fooling them with Anti-Fuzzing

Fuzzing is used to find vulnerabilities in applications by sending garbled data as input and then monitoring the application for crashes. Over the years, this simple
technique has evolved to an advanced testing technique that has been used to find serious vulnerabilities in a wide range of applications. This thesis sets out to evaluate two state-of-the-art fuzzers and pinpoint their weaknesses. The thesis also investigates anti-fuzzing: a technique that masks crashes from fuzzers. By not detecting crashes, fuzzers become useless when it comes to detecting vulnerabilities in software. The fuzzers are tested against a test suite of security vulnerability challenges from the DARPA Cyber Grand Challenge and then against the same test
suite when anti-fuzzing capabilities have been incorporated. Our results show that it is relatively easy to implement and apply anti-fuzzing techniques that are able to completely mask crashes and, by extension, vulnerabilities from fuzzers.

Skapa referens, olika format (klipp och klistra)

BibTeX @mastersthesis{Edholm2016,author={Edholm, Emil and Göransson, David},title={Escaping the Fuzz - Evaluating Fuzzing Techniques and Fooling them with Anti-Fuzzing},abstract={Fuzzing is used to find vulnerabilities in applications by sending garbled data as input and then monitoring the application for crashes. Over the years, this simple
technique has evolved to an advanced testing technique that has been used to find serious vulnerabilities in a wide range of applications. This thesis sets out to evaluate two state-of-the-art fuzzers and pinpoint their weaknesses. The thesis also investigates anti-fuzzing: a technique that masks crashes from fuzzers. By not detecting crashes, fuzzers become useless when it comes to detecting vulnerabilities in software. The fuzzers are tested against a test suite of security vulnerability challenges from the DARPA Cyber Grand Challenge and then against the same test
suite when anti-fuzzing capabilities have been incorporated. Our results show that it is relatively easy to implement and apply anti-fuzzing techniques that are able to completely mask crashes and, by extension, vulnerabilities from fuzzers.},publisher={Institutionen för data- och informationsteknik (Chalmers), Chalmers tekniska högskola},place={Göteborg},year={2016},keywords={security, fuzzing, fuzzer, anti-fuzzing, fuzz-testing},note={64},}

RefWorks RT GenericSR ElectronicID 238600A1 Edholm, EmilA1 Göransson, DavidT1 Escaping the Fuzz - Evaluating Fuzzing Techniques and Fooling them with Anti-FuzzingYR 2016AB Fuzzing is used to find vulnerabilities in applications by sending garbled data as input and then monitoring the application for crashes. Over the years, this simple
technique has evolved to an advanced testing technique that has been used to find serious vulnerabilities in a wide range of applications. This thesis sets out to evaluate two state-of-the-art fuzzers and pinpoint their weaknesses. The thesis also investigates anti-fuzzing: a technique that masks crashes from fuzzers. By not detecting crashes, fuzzers become useless when it comes to detecting vulnerabilities in software. The fuzzers are tested against a test suite of security vulnerability challenges from the DARPA Cyber Grand Challenge and then against the same test
suite when anti-fuzzing capabilities have been incorporated. Our results show that it is relatively easy to implement and apply anti-fuzzing techniques that are able to completely mask crashes and, by extension, vulnerabilities from fuzzers.PB Institutionen för data- och informationsteknik (Chalmers), Chalmers tekniska högskola,PB Institutionen för data- och informationsteknik (Chalmers), Chalmers tekniska högskola,LA engLK http://publications.lib.chalmers.se/records/fulltext/238600/238600.pdfOL 30